Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add dependency information to conan lockfile parser #2131

Merged
merged 3 commits into from
Sep 15, 2023
Merged

feat: add dependency information to conan lockfile parser #2131

merged 3 commits into from
Sep 15, 2023

Conversation

Pro
Copy link
Contributor

@Pro Pro commented Sep 14, 2023

This MR adds proper dependency parsing from the conan lockfile.

The example output of the conan.lock file included in this MR is:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:d8a5a0b5-2263-4417-aa54-bae41d86bb13",
  "version": 1,
  "metadata": {
    "timestamp": "2023-09-14T13:33:39+02:00",
    "tools": [
      {
        "vendor": "anchore",
        "name": "syft",
        "version": "[not provided]"
      }
    ],
    "component": {
      "bom-ref": "7ea68ac679dc44fd",
      "type": "file",
      "name": "conan.lock",
      "version": "sha256:sha256:421e3aca902b6310bc89875e13c135843d574a0d01bc399c895fde46ecc16068"
    }
  },
  "components": [
    {
      "bom-ref": "pkg:conan/boost@1.75.0?package-id=aba68c636d6b683d",
      "type": "library",
      "name": "boost",
      "version": "1.75.0",
      "cpe": "cpe:2.3:a:boost:boost:1.75.0:*:*:*:*:*:*:*",
      "purl": "pkg:conan/boost@1.75.0",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "conan-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "c++"
        },
        {
          "name": "syft:package:metadataType",
          "value": "ConanLockMetadataType"
        },
        {
          "name": "syft:package:type",
          "value": "conan"
        },
        {
          "name": "syft:location:0:path",
          "value": "/conan.lock"
        }
      ]
    },
    {
      "bom-ref": "pkg:conan/bzip2@1.0.8?package-id=2a13ac92db8e1658",
      "type": "library",
      "name": "bzip2",
      "version": "1.0.8",
      "cpe": "cpe:2.3:a:bzip2:bzip2:1.0.8:*:*:*:*:*:*:*",
      "purl": "pkg:conan/bzip2@1.0.8",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "conan-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "c++"
        },
        {
          "name": "syft:package:metadataType",
          "value": "ConanLockMetadataType"
        },
        {
          "name": "syft:package:type",
          "value": "conan"
        },
        {
          "name": "syft:location:0:path",
          "value": "/conan.lock"
        }
      ]
    },
    {
      "bom-ref": "pkg:conan/libbacktrace@cci.20210118?package-id=11f1bbc08eaadac0",
      "type": "library",
      "name": "libbacktrace",
      "version": "cci.20210118",
      "cpe": "cpe:2.3:a:libbacktrace:libbacktrace:cci.20210118:*:*:*:*:*:*:*",
      "purl": "pkg:conan/libbacktrace@cci.20210118",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "conan-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "c++"
        },
        {
          "name": "syft:package:metadataType",
          "value": "ConanLockMetadataType"
        },
        {
          "name": "syft:package:type",
          "value": "conan"
        },
        {
          "name": "syft:location:0:path",
          "value": "/conan.lock"
        }
      ]
    },
    {
      "bom-ref": "pkg:conan/my_user/mfast@1.2.2?channel=my_channel&package-id=3117859c73631bd1",
      "type": "library",
      "name": "mfast",
      "version": "1.2.2",
      "cpe": "cpe:2.3:a:mfast:mfast:1.2.2:*:*:*:*:*:*:*",
      "purl": "pkg:conan/my_user/mfast@1.2.2?channel=my_channel",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "conan-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "c++"
        },
        {
          "name": "syft:package:metadataType",
          "value": "ConanLockMetadataType"
        },
        {
          "name": "syft:package:type",
          "value": "conan"
        },
        {
          "name": "syft:location:0:path",
          "value": "/conan.lock"
        }
      ]
    },
    {
      "bom-ref": "pkg:conan/tinyxml2@9.0.0?package-id=da460e25508a66a4",
      "type": "library",
      "name": "tinyxml2",
      "version": "9.0.0",
      "cpe": "cpe:2.3:a:tinyxml2:tinyxml2:9.0.0:*:*:*:*:*:*:*",
      "purl": "pkg:conan/tinyxml2@9.0.0",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "conan-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "c++"
        },
        {
          "name": "syft:package:metadataType",
          "value": "ConanLockMetadataType"
        },
        {
          "name": "syft:package:type",
          "value": "conan"
        },
        {
          "name": "syft:location:0:path",
          "value": "/conan.lock"
        }
      ]
    },
    {
      "bom-ref": "pkg:conan/zlib@1.2.12?package-id=f23da074dc9de6d1",
      "type": "library",
      "name": "zlib",
      "version": "1.2.12",
      "cpe": "cpe:2.3:a:zlib:zlib:1.2.12:*:*:*:*:*:*:*",
      "purl": "pkg:conan/zlib@1.2.12",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "conan-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "c++"
        },
        {
          "name": "syft:package:metadataType",
          "value": "ConanLockMetadataType"
        },
        {
          "name": "syft:package:type",
          "value": "conan"
        },
        {
          "name": "syft:location:0:path",
          "value": "/conan.lock"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:conan/boost@1.75.0?package-id=aba68c636d6b683d",
      "dependsOn": [
        "pkg:conan/bzip2@1.0.8?package-id=2a13ac92db8e1658",
        "pkg:conan/libbacktrace@cci.20210118?package-id=11f1bbc08eaadac0",
        "pkg:conan/zlib@1.2.12?package-id=f23da074dc9de6d1"
      ]
    },
    {
      "ref": "pkg:conan/my_user/mfast@1.2.2?channel=my_channel&package-id=3117859c73631bd1",
      "dependsOn": [
        "pkg:conan/boost@1.75.0?package-id=aba68c636d6b683d",
        "pkg:conan/tinyxml2@9.0.0?package-id=da460e25508a66a4"
      ]
    }
  ]
}

@kzantow
Copy link
Contributor

kzantow commented Sep 14, 2023
edited

This looks like a great change @Pro! A couple notes:

This modifies the Syft JSON, so you'd need to update the JSON schema. Basically: bump the patch version (since this is just addition) major version (since this is a breaking schema change) in https://github.com/anchore/syft/blob/main/internal/constants.go#L6, run make generate-json-schema, and commit the changes.

And, you'll need to Sign-off your commits: https://github.com/anchore/syft/blob/main/CONTRIBUTING.md#sign-off-your-work

@Pro
feat: add dependency information to conan lockfile parser
5f3cbc9 
Signed-off-by: Stefan Profanter <stefan.profanter@agile-robots.com>
@kzantow
chore: update json schema version
46f1a1c 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@Pro
Copy link
Contributor Author

Pro commented Sep 14, 2023

@kzantow can you please clarify the following for me:

The CycloneDX contains this metadata

"component": {
      "bom-ref": "7ea68ac679dc44fd",
      "type": "file",
      "name": "conan.lock",
      "version": "sha256:sha256:421e3aca902b6310bc89875e13c135843d574a0d01bc399c895fde46ecc16068"
    }

But if I Upload this bom to DependencyTrack, the Dependency Tree is not properly built.

Only if I change the metadata to the following, it is properly shown (i.e. bom-ref should point to a component in the list.

"component": {
      "bom-ref": "pkg:conan/my_user/mfast@1.2.2?channel=my_channel&package-id=3117859c73631bd1",
      "type": "library",
      "name": "mfast",
      "version": "1.2.2",
    }

But I can only set name and version via the command line args.

What would be the correct way to set this?

@kzantow
chore: minor tweak
14e060b 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
Copy link
Contributor

kzantow commented Sep 14, 2023
edited

@Pro are you referring to the metadata.component? This is the "source" you scanned: image, directory, file, etc.. However, this does not really have dependencies to the other components. Creating a graph in CycloneDX is much more limited than in SPDX -- in SPDX we add CONTAINS relationships for this, but the only option in CycloneDX is dependencies, which isn't accurate and we try very hard not to misuse the formats. I'm curious if you add additional dependency entries from the first entry to the other top-level components, does it look to work properly in DependencyTrack?

Also: I misspoke earlier and the schema change was breaking, so I went ahead and updated it on this PR (and also pushed a very small tweak I think helps readability just a bit)

@Pro
Copy link
Contributor Author

Pro commented Sep 14, 2023

@kzantow Thanks!
That makes it more clear. Will play around with SPDX then.

This MR is ready from my side.

@Pro Pro mentioned this pull request Sep 15, 2023
Open
kzantow
kzantow approved these changes Sep 15, 2023
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution @Pro !

@kzantow kzantow merged commit ec4d595 into anchore:main Sep 15, 2023
9 checks passed
@chenrui333 chenrui333 mentioned this pull request Sep 21, 2023
Merged
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@Pro
feat: add dependency information to conan lockfile parser (anchore#2131)
1a401d7 
Signed-off-by: Stefan Profanter <stefan.profanter@agile-robots.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzantow kzantow kzantow approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Pro @kzantow